msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: msw:5eadfa9b00a7a9260ffcc5665c7d4ad8286061f7aa4247d4245a7883a49aeaf3
Branches Tags
msw:master
...
compare: msw:master
Branches Tags
msw:master

32 Commits
5eadfa9b00 ... master

Author SHA256 Message Date
Marc S. Weidner BOT
aa94c53d65 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa

Generated at : 2025-10-26T18:19:48Z
Runner Host  : 6f8f9a786bfa
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : aef00ec HEAD -> master
 2025-10-26 18:19:48 +00:00
Marc S. Weidner
aef00ec63d V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m59s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 18:17:28 +00:00
Marc S. Weidner BOT
71d189e2c7 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@403a70a at 2025-10-26T17:24:00Z on 8f92a12ee776

Generated at : 2025-10-26T17:24:00Z
Runner Host  : 8f92a12ee776
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 403a70a HEAD -> master
 2025-10-26 17:24:00 +00:00
Marc S. Weidner
403a70a886 Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m49s
Details
2025-10-26 17:22:09 +00:00
Marc S. Weidner
3d39f44c75 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 17:21:58 +00:00
Marc S. Weidner BOT
28b246d280 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@25e230a at 2025-10-26T17:21:53Z on 2cb42c1f329c

Generated at : 2025-10-26T17:21:53Z
Runner Host  : 2cb42c1f329c
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 25e230a HEAD -> master
 2025-10-26 17:21:53 +00:00
Marc S. Weidner
25e230ace4 V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m6s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 17:19:26 +00:00
Marc S. Weidner BOT
893740c2bf DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@85c46f3 at 2025-10-26T16:50:37Z on 1d5ebfdde700

Generated at : 2025-10-26T16:50:37Z
Runner Host  : 1d5ebfdde700
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 85c46f3 HEAD -> master
 2025-10-26 16:50:37 +00:00
Marc S. Weidner
85c46f3c4c V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m2s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 16:48:17 +00:00
Marc S. Weidner BOT
1c83813ec4 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@0023ceb at 2025-10-26T16:27:39Z on 4f47e3dfaa73

Generated at : 2025-10-26T16:27:39Z
Runner Host  : 4f47e3dfaa73
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 0023ceb HEAD -> master
 2025-10-26 16:27:39 +00:00
Marc S. Weidner
0023ceb83e V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 16:25:44 +00:00
Marc S. Weidner BOT
d54ca7c415 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@6254d98 at 2025-10-26T16:13:03Z on 8e8821304879

Generated at : 2025-10-26T16:13:03Z
Runner Host  : 8e8821304879
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 6254d98 HEAD -> master
 2025-10-26 16:13:03 +00:00
Marc S. Weidner
6254d988e6 Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m2s
Details
2025-10-26 16:10:58 +00:00
Marc S. Weidner
3fb9ebe556 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 16:10:48 +00:00
Marc S. Weidner BOT
8f3763950a DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@54e72c0 at 2025-10-26T16:06:58Z on 7888ef2e57e4

Generated at : 2025-10-26T16:06:58Z
Runner Host  : 7888ef2e57e4
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 54e72c0 HEAD -> master
 2025-10-26 16:06:58 +00:00
Marc S. Weidner
54e72c014b V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 16:05:01 +00:00
Marc S. Weidner BOT
a5282fa305 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@0bde766 at 2025-10-26T15:56:46Z on 5447d238476c

Generated at : 2025-10-26T15:56:46Z
Runner Host  : 5447d238476c
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 0bde766 HEAD -> master
 2025-10-26 15:56:46 +00:00
Marc S. Weidner
0bde766c8c Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m1s
Details
2025-10-26 15:54:42 +00:00
Marc S. Weidner
01275e130e V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:54:33 +00:00
Marc S. Weidner BOT
a60a1c44ad DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@4fc97f6 at 2025-10-26T15:53:14Z on 354c2474ff0d

Generated at : 2025-10-26T15:53:14Z
Runner Host  : 354c2474ff0d
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 4fc97f6 HEAD -> master
 2025-10-26 15:53:14 +00:00
Marc S. Weidner
4fc97f6988 Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m0s
Details
2025-10-26 15:51:11 +00:00
Marc S. Weidner
ab326392e4 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:51:02 +00:00
Marc S. Weidner BOT
7920f41bd8 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@9928148 at 2025-10-26T15:50:54Z on ba42564d5f6a

Generated at : 2025-10-26T15:50:54Z
Runner Host  : ba42564d5f6a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 9928148 HEAD -> master
 2025-10-26 15:50:54 +00:00
Marc S. Weidner
9928148850 V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:48:56 +00:00
Marc S. Weidner BOT
693f3252ab DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@bd099f5 at 2025-10-26T15:46:52Z on b01ff1809bf2

Generated at : 2025-10-26T15:46:52Z
Runner Host  : b01ff1809bf2
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : bd099f5 HEAD -> master
 2025-10-26 15:46:52 +00:00
Marc S. Weidner
bd099f5cec V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:44:59 +00:00
Marc S. Weidner BOT
dc9521bac8 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@f927caf at 2025-10-26T15:33:02Z on 558d44a1dd91

Generated at : 2025-10-26T15:33:02Z
Runner Host  : 558d44a1dd91
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : f927caf HEAD -> master
 2025-10-26 15:33:02 +00:00
Marc S. Weidner
f927caf036 V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:31:13 +00:00
Marc S. Weidner
9d0b956ece V8.00.000.2025.06.17
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:29:47 +00:00
Marc S. Weidner BOT
def3971add DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@a9a7db7 at 2025-10-26T15:18:45Z on cabf48d956c9

Generated at : 2025-10-26T15:18:45Z
Runner Host  : cabf48d956c9
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : a9a7db7 HEAD -> master
 2025-10-26 15:18:45 +00:00
Marc S. Weidner
a9a7db7c6b V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:16:37 +00:00
Marc S. Weidner
a2b1fcb457 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 15:11:48 +00:00
25 changed files with 426 additions and 333 deletions
Expand all files Collapse all files

6
.preseed/SECRETS.yaml
View File

@@ -34,12 +34,12 @@ secrets:
################################################################################################################################ ################################################################################################################################
luks: luks:
backup: backup:
note: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers." note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
scope: "offsite-backup" scope: "offsite-backup"
type: "plain" type: "plain"
value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!" value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
boot: boot:
note: "Dedicated passphrase for the '/boot' partition; chosen for easy manual input via the VPS web console." note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
scope: "luks" scope: "luks"
type: "plain" type: "plain"
value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!" value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
@@ -59,7 +59,7 @@ secrets:
seeds: seeds:
mfa: mfa:
info: info:
note: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover." note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
scope: "mfa" scope: "mfa"
type: "plain" type: "plain"
value: "totp:v1" value: "totp:v1"

1
.preseed/mfa_master.txt
View File

@@ -1 +0,0 @@
7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda

2
.preseed/partitioning.yaml
View File

@@ -35,7 +35,7 @@ recipe:
luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL: luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
# luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup. # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
# Also provide the cloud access token and access passwords via # Also provide the cloud access token and access passwords via
# ./.preseed/password_luks_backup.txt. Yet Nextcloud only is supported. # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
luks_backup_url: "https://cloud.e2ee.li/" luks_backup_url: "https://cloud.e2ee.li/"
luks_backup_pgp: "ciss" # Specify the trigger for use of the LUKS Header backup encryption key. luks_backup_pgp: "ciss" # Specify the trigger for use of the LUKS Header backup encryption key.
# Allowed values are: 'ciss', and 'physnet'. MUST be provided. # Allowed values are: 'ciss', and 'physnet'. MUST be provided.

1
.preseed/password_grub.txt
View File

@@ -1 +0,0 @@
PleASE_CHan3e_M!

1
.preseed/password_luks_backup.txt
View File

@@ -1 +0,0 @@
SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS

1
.preseed/password_luks_boot.txt
View File

@@ -1 +0,0 @@
Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

1
.preseed/password_luks_common.txt
View File

@@ -1 +0,0 @@
Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

1
.preseed/password_luks_nuke.txt
View File

@@ -1 +0,0 @@
THIS_IS_THE_NUKE_PASSWORD!

9
.preseed/preseed.yaml
View File

@@ -13,14 +13,14 @@
# This file contains configurations for the CISS.debian.installer # This file contains configurations for the CISS.debian.installer
# Master V8.00.000.2025.06.17 # Master V8.00.000.2025.06.17
# YAML specification: 1.2 # YAML specification: 1.2
#
preseed: preseed:
description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™." description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
created_at: "2025-10-23" created_at: "2025-10-23"
created_for: "host_domain_tld" created_for: "host_domain_tld"
name: "CISS.debian.installer" name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17" version: "V8.00.000.2025.06.17"
#
################################################################################################################################ ################################################################################################################################
# APT settings # APT settings
################################################################################################################################ ################################################################################################################################
@@ -454,7 +454,7 @@ grub:
other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS. # some other OS, which is less safe as it might not be able to boot that other OS.
password: true # If you want to set a password for GRUB. The password MUST be set at: password: true # If you want to set a password for GRUB. The password MUST be set at:
# '/.preseed/password_grub.txt'. # '/.preseed/SECRETS.yaml'.
prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future. # may still wish to enable it in case you install more in the future.
skip: false # Skip installing grub. skip: false # Skip installing grub.
@@ -839,9 +839,6 @@ ssh:
# User settings # User settings
################################################################################################################################ ################################################################################################################################
user: user:
mfa:
info: "totp:v1"
salt: "CISS:CDI:OTP" # + (Server_FQDN/Username)
############################################################################################################################## ##############################################################################################################################
# Root: The superuser account (normally disabled for direct login). # Root: The superuser account (normally disabled for direct login).
# Key 'user.root.password' MUST contain a valid yescrypt hashed password string. # Key 'user.root.password' MUST contain a valid yescrypt hashed password string.

4
LINTER_RESULTS.txt
View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-25; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-10-25T05:15:03Z". This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
⚠️ The last linter check was NOT successful. ⚠️ ⚠️ The last linter check was NOT successful. ⚠️

4
README.md
View File

@@ -11,8 +11,8 @@ include_toc: true
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html) [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;

13
ciss_debian_installer.sh
View File

@@ -24,7 +24,7 @@
# TODO: Copying Log Files to final System # TODO: Copying Log Files to final System
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain? # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
# TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh # TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
# TODO: Implement / Integrate IP, Port validation CDI_1200 # TODO: Implement / Integrate IP, Port validation CDI_1200
### WHY BASH? ### WHY BASH?
@@ -198,10 +198,6 @@ arg_parser "$@"
info_echo "0103_arg_priority_check.sh" info_echo "0103_arg_priority_check.sh"
arg_priority_check arg_priority_check
### HASHING PASSWORDS.
info_echo "0105_arg_nuke_converter.sh"
nuke_passphrase
### CDI_1250 ### CDI_1250
info_echo "1250_yaml_parser.sh" info_echo "1250_yaml_parser.sh"
@@ -213,8 +209,11 @@ yaml_reader
info_echo "1252_yaml_validator.sh" info_echo "1252_yaml_validator.sh"
yaml_validator yaml_validator
#info_echo "1256_secret_parser.sh" info_echo "1256_yaml_xfiles.sh"
#yaml_secret yaml_secret
info_echo "1257_yaml_xnuke.sh"
nuke_passphrase
### CDI_3200 ### CDI_3200

10
func/cdi_1250_yaml/1250_yaml_parser.sh
View File

@@ -44,28 +44,36 @@ yaml_parser() {
### Generate Arrays for [Grub Parameter], [Locales], [NTPSec Server FQDN], [Software Packages]. ### Generate Arrays for [Grub Parameter], [Locales], [NTPSec Server FQDN], [Software Packages].
while IFS='=' read -r var_key var_value; do while IFS='=' read -r var_key var_value; do
var_value=${var_value#\'} var_value=${var_value#\'}
var_value=${var_value%\'} var_value=${var_value%\'}
# shellcheck disable=SC2034,SC2249 # shellcheck disable=SC2034,SC2249
case "${var_key}" in case "${var_key}" in
grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}") ;; grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}") ;;
locale_locale_[0-9]*) ARY_LOCALE+=("${var_value}") ;; locale_locale_[0-9]*) ARY_LOCALE+=("${var_value}") ;;
ntp_server_[0-9]*) ARY_NTPSRVR+=("${var_value}") ;; ntp_server_[0-9]*) ARY_NTPSRVR+=("${var_value}") ;;
ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;; ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;;
ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;; ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;;
software_[0-9]*) ARY_PACKAGES+=("${var_value}") ;; software_[0-9]*) ARY_PACKAGES+=("${var_value}") ;;
esac esac
done < "${VAR_PRESEED}" done < "${VAR_PRESEED}"
var_key="" var_key=""
### Search all set variables for user_userN_name patterns. ### Search all set variables for user_userN_name patterns.
# shellcheck disable=SC2312 # shellcheck disable=SC2312
while IFS='=' read -r var_key _; do while IFS='=' read -r var_key _; do
### Accept any of these keys: name, fullname, uid, gid, shell, password, sshpubkey, authentication_* and privileges_* ### Accept any of these keys: name, fullname, uid, gid, shell, password, sshpubkey, authentication_* and privileges_*
if [[ "${var_key}" =~ ^user_user([0-9]+)_(name|fullname|uid|gid|shell|password|sshpubkey|authentication_[A-Za-z0-9_]+|privileges_[A-Za-z0-9_]+)$ ]]; then if [[ "${var_key}" =~ ^user_user([0-9]+)_(name|fullname|uid|gid|shell|password|sshpubkey|authentication_[A-Za-z0-9_]+|privileges_[A-Za-z0-9_]+)$ ]]; then
var_index=${BASH_REMATCH[1]} var_index=${BASH_REMATCH[1]}
(( var_index > VAR_USER_MAX )) && VAR_USER_MAX=var_index (( var_index > VAR_USER_MAX )) && VAR_USER_MAX=var_index
fi fi
done < "${VAR_PRESEED}" done < "${VAR_PRESEED}"
### If nothing matched, default to 0 (only user 0). ### If nothing matched, default to 0 (only user 0).
@@ -87,7 +95,7 @@ yaml_parser() {
# --- Quote unquoted values ------------------------------------------- # --- Quote unquoted values -------------------------------------------
s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes
' "${VAR_PRESEED}" ' "${VAR_PRESEED}"
# shellcheck disable=SC1090 # shellcheck disable=SC1090
. "${VAR_PRESEED}" . "${VAR_PRESEED}"

206
func/cdi_1250_yaml/1256_secret_parser.sh
View File

@@ -1,206 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SOURCE}"
#######################################
# Debug helper: list variable names (no values).
# Globals:
# CISS_SECRETS_MAP
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_secrets_list_names() {
### Declare Arrays, HashMaps, and Variables.
declare var_k=""
for var_k in "${!CISS_SECRETS_MAP[@]}"; do
printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secrets_list_names
#######################################
# Unset all previously created secret variables.
# Globals:
# CISS_SECRETS_MAP
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_secrets_unset() {
### Declare Arrays, HashMaps, and Variables.
declare var_k="" var_v=""
guard_trace on
for var_k in "${!CISS_SECRETS_MAP[@]}"; do
var_v="${CISS_SECRETS_MAP[${var_k}]}"
if [[ -v "${var_v}" ]]; then
unset -v "${var_v}" 2>/dev/null || true
fi
done
CISS_SECRETS_MAP=()
guard_trace off
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secrets_unset
#######################################
# Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
# Globals:
# None
# Arguments:
# 1: Variable path
# Returns:
# 0: on success
#######################################
ciss_secret_varname_from_path() {
### Declare Arrays, HashMaps, and Variables.
declare var_path="${1:-}"
var_path="${var_path//[^A-Za-z0-9_]/_}"
var_path="${var_path^^}"
printf 'CISS_SECRET_%s' "${var_path}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secret_varname_from_path
#######################################
# Purpose:
# High-performance parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
# If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
# No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
# Conventions:
# Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
# All with "declare -g" (no export).
# Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
# Security:
# No logging of values. No plaintext temp files. Streaming pipeline; no full-doc materialization.
# Globals:
# CISS_SECRETS_MAP
# CISS_SECRETS_SOURCE
# DIR_CNF
# ERR_MISSING_AGE_KEY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
yaml_secret() {
### Declare Arrays, HashMaps, and Variables.
declare -r SOPS_AGE_KEY_FILE="/root/.config/sops/age/keys.txt"
declare secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
__path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname=""
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
if [[ "${secrets_encrypted}" == "true" ]]; then
if ! command -v sops >/dev/null 2>&1; then
do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
return "${ERR_MISSING_AGE_BIN}"
fi
[[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
fi
__umask=$(umask)
umask 0077
### Create the producer as a process substitution.
if [[ "${secrets_encrypted}" == "true" ]]; then
### Decrypt once, stream into yq; avoid storing full doc in memory; emits '<path>\0<value>\0' for each 'secrets.*.value'
# shellcheck disable=SC2016,SC2312
exec {__pipe_fd}< <(
sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -r -N -0 'leaf_paths as $p
| select($p[0]=="secrets" and $p[-1]=="value")
| ($p[0:-1] | join(".")), ((getpath($p)//"") | tostring)
' -
)
else
# shellcheck disable=SC2016,SC2312
exec {__pipe_fd}< <( yq -r -N -0 'path(..) as $p | select($p[0]=="secrets" and $p[-1]=="value") | ($p[0:-1]|join("."))' -- "${secrets_yaml}" )
fi
### Single consumer: read NUL-delimited pairs and assign variables.
### Loop invariant: next read is PATH, then VALUE. Stop cleanly at EOF.
while :; do
### Read path (up to NUL); break on EOF.
IFS= read -r -d '' __path <&"${__pipe_fd}" || break
echo "${__path}"
### Read value (up to NUL); if missing (odd count), treat as empty
IFS= read -r -d '' __value <&"${__pipe_fd}" || __value=""
echo "${__value}"
### Drop the leading 'secrets.' prefix for naming.
__path_wo_prefix="${__path#secrets.}"
echo "${__path_wo_prefix}"
__varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
echo "${__varname}"
### Assign to a global variable, preserving content verbatim (including newlines).
unset -v "${__varname}"
declare -g "${__varname}"
printf -v "${__varname}" '%s' "${__value}"
### Track in the map (without .value)
CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
done
### Close the producer FD
exec {__pipe_fd}<&-
umask "${__umask}"
echo "Inside 1256()"
sleep 60
guard_dir; return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f yaml_secret
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

271
func/cdi_1250_yaml/1256_yaml_xfiles.sh Normal file
View File

@@ -0,0 +1,271 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SOURCE}"
#######################################
# Debug helper: list variable names (no values).
# Globals:
# CISS_SECRETS_MAP
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_secrets_list_names() {
### Declare Arrays, HashMaps, and Variables.
declare var_k=""
for var_k in "${!CISS_SECRETS_MAP[@]}"; do
printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secrets_list_names
#######################################
# Unset all previously created secret variables.
# Globals:
# CISS_SECRETS_MAP
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_secrets_unset() {
### Declare Arrays, HashMaps, and Variables.
declare var_k="" var_v=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on
for var_k in "${!CISS_SECRETS_MAP[@]}"; do
var_v="${CISS_SECRETS_MAP[${var_k}]}"
if [[ -v "${var_v}" ]]; then
unset -v "${var_v}" 2>/dev/null || true
fi
done
CISS_SECRETS_MAP=()
guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secrets_unset
#######################################
# Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
# Globals:
# None
# Arguments:
# 1: Variable path
# Returns:
# 0: on success
#######################################
ciss_secret_varname_from_path() {
### Declare Arrays, HashMaps, and Variables.
declare var_path="${1:-}"
var_path="${var_path//[^A-Za-z0-9_]/_}"
var_path="${var_path^^}"
printf 'CISS_SECRET_%s' "${var_path}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secret_varname_from_path
#######################################
# Wipes the specified file securely.
# Globals:
# None
# Arguments:
# 1: File to wipe
# Returns:
# 0: on success
#######################################
ciss_secrets_wiper() {
### Declare Arrays, HashMaps, and Variables.
declare var_file="${1:-}"
if [[ -f "${var_file}" ]]; then
: >| "${var_file}"
shred -vfzu -n 5 "${var_file}" > /dev/null 2>&1 || rm -f -- "${var_file}"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_secrets_wiper
#######################################
# Purpose:
# Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
# If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
# No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
# Conventions:
# Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
# All with "declare -g" (no export).
# Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
# Globals:
# CISS_SECRETS_AGE
# CISS_SECRETS_MAP
# CISS_SECRETS_SOURCE
# DIR_CNF
# Arguments:
# None
# Returns:
# 0: on success
# ERR_DECRYPTION_SOPS: on failure
# ERR_MISSING_AGE_BIN: on failure
# ERR_MISSING_AGE_KEY: on failure
#######################################
yaml_secret() {
### Declare Arrays, HashMaps, and Variables.
declare -r SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
declare -a __names=()
declare secrets_encrypted="" secrets_if="${CISS_SECRETS_SOURCE}" secrets_of="${DIR_CNF}/SECRETS_DECRYPTED.yaml" \
__SECRETS="${DIR_CNF}/SECRETS_BASH.var" \
__base="" __name="" __umask="" __path_wo_prefix="" __val="" __varname=""
__umask=$(umask)
umask 0077
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
if grep -qE '(^|\s)sops:\s*$' -- "${secrets_if}" 2>/dev/null || grep -q 'ENC\[' -- "${secrets_if}" 2>/dev/null; then
secrets_encrypted="true"
do_log "debug" "file_only" "1256() 'secrets_encrypted' according to heuristic mode: '${secrets_encrypted}'."
fi
if [[ "${secrets_encrypted}" == "true" ]]; then
if ! command -v sops >/dev/null 2>&1; then
do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
return "${ERR_MISSING_AGE_BIN}"
fi
[[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
sops -d --input-type=yaml --output-type=yaml -- "${secrets_if}" >| "${secrets_of}"
[[ -r "${secrets_of}" ]] || return "${ERR_DECRYPTION_SOPS}"
ciss_secrets_wiper "${secrets_if}" && mv "${secrets_of}" "${secrets_if}"
fi
yq -o=shell "${secrets_if}" >| "${__SECRETS}" && ciss_secrets_wiper "${secrets_if}"
### Keep only '*_value=' lines, normalize empty RHS, quote unquoted simple RHS.
LC_ALL=C sed -n -E '
/^[[:space:]]*(#|$)/b
s/^[[:space:]]*(export|declare[[:space:]]+-x)[[:space:]]+//;
/^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=/!b
s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*$/\1='\'''\''/; t print
/^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=[[:space:]]*('"'"'|\"|\$'"'"')/b print
s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=([^[[:space:]]'"'"'$][^[:space:]]*)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*(.+)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
:print
p
' -- "${__SECRETS}" >| "${__SECRETS}.value_only"
mv -f -- "${__SECRETS}.value_only" "${__SECRETS}"
# shellcheck disable=SC1091 source=./${__SECRETS}
source "${__SECRETS}"
ciss_secrets_wiper "${__SECRETS}"
# shellcheck disable=SC2312
mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
for __name in "${__names[@]}"; do
### Keep only *_value variables
[[ "${__name}" == *_value ]] || continue
### Validate strict Bash identifier (defensive: strip accidental CR).
__name="${__name%$'\r'}"
[[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
### Only read if actually set; indirect check without triggering nounset.
if [[ -n "${!__name+x}" ]]; then
__val="${!__name}"
else
__val=""
fi
### Strip suffix/prefix for the map key.
__base="${__name%_value}"
__path_wo_prefix="${__base#secrets_}"
### Canonical CISS name.
__varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
### Assign verbatim (preserves newlines).
unset -v "${__varname}"
declare -g "${__varname}"
printf -v "${__varname}" '%s' "${__val}"
CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
done
### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
for __name in "${__names[@]}"; do
unset -v "${__name}"
done
umask "${__umask}"
guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_dir; return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f yaml_secret
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/cdi_0100_arg/0105_arg_nuke_converter.sh → func/cdi_1250_yaml/1257_yaml_xnuke.sh
View File

@@ -15,18 +15,22 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Generates 'nuke=HASH' Bootparameter. # Generates 'nuke=HASH' Bootparameter.
# Globals: # Globals:
# CISS_SECRET_LUKS_NUKE
# DIR_CNF # DIR_CNF
# VAR_NUKE_HASH # VAR_NUKE_HASH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_GENERATE_SALT # ERR_GENERATE_SALT: on failure
# ERR_READ_NUKE_FILE
####################################### #######################################
nuke_passphrase() { nuke_passphrase() {
declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt" ### SECRETS handling ---------------------------------------------------------------------------------------------------------
declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds="" guard_trace on
### Declare Arrays, HashMaps, and Variables.
declare var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
declare var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""
# shellcheck disable=SC2312 # shellcheck disable=SC2312
var_nuke_rounds="$( var_nuke_rounds="$(
@@ -40,30 +44,30 @@ nuke_passphrase() {
' "${DIR_CNF}/partitioning.yaml" | head -n1 ' "${DIR_CNF}/partitioning.yaml" | head -n1
)" )"
[[ ! -f "${var_nuke_pwd_file}" ]] && return 0 [[ -z "${var_nuke_pwd}" ]] && return 0
guard_trace on
if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
return "${ERR_READ_NUKE_FILE}"
fi
guard_trace off
if ! var_salt="$(generate_salt)"; then if ! var_salt="$(generate_salt)"; then
return "${ERR_GENERATE_SALT}" return "${ERR_GENERATE_SALT}"
fi fi
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
guard_trace on # shellcheck disable=SC2034
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
guard_trace off
declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
unset var_temp_nuke_hash var_temp_plain_nuke_pwd
unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]" do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_dir; return 0 guard_dir; return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f nuke_passphrase
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

5
func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
View File

@@ -27,7 +27,8 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# 0: on success # 0: on success
####################################### #######################################
benchmarking_encryption() { benchmarking_encryption() {
declare var_result="" ### Declare Arrays, HashMaps, and Variables.
declare var_result=""
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}") declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
# shellcheck disable=SC2155 # shellcheck disable=SC2155
@@ -37,7 +38,7 @@ benchmarking_encryption() {
sync sync
echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..." echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
echo 3 >| /proc/sys/vm/drop_caches echo 3 >| /proc/sys/vm/drop_caches || true
# shellcheck disable=SC2312 # shellcheck disable=SC2312
var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \ var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \

75
func/cdi_3200_partitioning/3220_partition_encryption.sh
View File

@@ -16,6 +16,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'. # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
# Globals: # Globals:
# ARY_CRYPT_MOUNT_PATHS # ARY_CRYPT_MOUNT_PATHS
# CISS_SECRET_LUKS_BACKUP
# CISS_SECRET_LUKS_BOOT
# CISS_SECRET_LUKS_COMMON
# DIR_BAK # DIR_BAK
# DIR_CNF # DIR_CNF
# DIR_LOG # DIR_LOG
@@ -38,7 +41,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# VAR_RECIPE_STRING # VAR_RECIPE_STRING
# VAR_SETUP_PART # VAR_SETUP_PART
# VAR_SETUP_PATH # VAR_SETUP_PATH
# VAR_TEMP_PLAIN_NC_AUTH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -61,15 +63,31 @@ partition_encryption() {
var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \ var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \ var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \ var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
var_temp_plain_nc_auth=""
declare -a ary_luks_opts=() declare -a ary_luks_opts=()
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on
printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
guard_trace on
### SECRETS handling ---------------------------------------------------------------------------------------------------------
if [[ -n "${VAR_LUKS_URL}" ]]; then if [[ -n "${VAR_LUKS_URL}" ]]; then
VAR_LUKS_URL=${VAR_LUKS_URL%/} VAR_LUKS_URL=${VAR_LUKS_URL%/}
read_luks_backup_token
do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]" ### SECRETS handling -------------------------------------------------------------------------------------------------------
guard_trace on
var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
unset CISS_SECRET_LUKS_BACKUP
guard_trace on
### SECRETS handling -------------------------------------------------------------------------------------------------------
do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
fi fi
@@ -176,13 +194,17 @@ partition_encryption() {
### Opening the encrypted container. ### Opening the encrypted container.
if [[ "${var_encryption_path,,}" == "/boot" ]]; then if [[ "${var_encryption_path,,}" == "/boot" ]]; then
cryptsetup luksOpen "/dev/${var_dev}" \ cryptsetup luksOpen "/dev/${var_dev}" \
--key-file="${DIR_CNF}/password_luks_boot.txt" \ --key-file="${DIR_CNF}/password_luks_boot.txt" \
"${var_encryption_label}" "${var_encryption_label}"
else else
cryptsetup luksOpen "/dev/${var_dev}" \ cryptsetup luksOpen "/dev/${var_dev}" \
--key-file="${DIR_CNF}/password_luks_common.txt" \ --key-file="${DIR_CNF}/password_luks_common.txt" \
"${var_encryption_label}" "${var_encryption_label}"
fi fi
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'." do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
@@ -254,10 +276,11 @@ partition_encryption() {
if [[ -n "${VAR_LUKS_URL}" ]]; then if [[ -n "${VAR_LUKS_URL}" ]]; then
### SECRETS handling ---------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \ if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
--upload-file "${var_luks_backup_pgp}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful." do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
@@ -270,6 +293,7 @@ partition_encryption() {
fi fi
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------
fi fi
@@ -277,43 +301,18 @@ partition_encryption() {
done done
[[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH ### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on
[[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
guard_dir; return 0 guard_dir; return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f partition_encryption readonly -f partition_encryption
#######################################
# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
# Globals:
# DIR_CNF
# VAR_TEMP_PLAIN_NC_AUTH
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_AUTH_FILE: on failure
#######################################
read_luks_backup_token(){
### Declare Arrays, HashMaps, and Variables.
declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
declare -g VAR_TEMP_PLAIN_NC_AUTH=""
guard_trace on
if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
return "${ERR_READ_AUTH_FILE}"
fi
guard_trace off
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f read_luks_backup_token
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

13
func/cdi_4200_boot/4240_update_grub_password.sh
View File

@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Append the GRUB superuser block to '/etc/grub.d/40_custom'. # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
# Globals: # Globals:
# DIR_CNF # CISS_SECRET_GRUB
# TARGET # TARGET
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_READ_GRUB_FILE # ERR_READ_GRUB_FILE: on failure
####################################### #######################################
update_grub_password() { update_grub_password() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \ declare var_username="superadmin" var_password="" \
var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry="" var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}" var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
unset CISS_SECRET_GRUB
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}") var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
### Append if not already present. ### Append if not already present.
if ! grep -q "set superusers=" "${var_of}"; then if ! grep -q "set superusers=" "${var_of}"; then
@@ -56,6 +59,8 @@ readonly -f update_grub_password
####################################### #######################################
# Generate PBKDF2 password hash for GRUB. # Generate PBKDF2 password hash for GRUB.
# Globals:
# None
# Arguments: # Arguments:
# 1: Username (default to superadmin). # 1: Username (default to superadmin).
# 2: User password. # 2: User password.

63
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -15,6 +15,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Updating root account and generation user accounts. # Updating root account and generation user accounts.
# Globals: # Globals:
# CISS_SECRET_USER_ROOT_PASSWORD
# CISS_SECRET_USER_ROOT_SSHPUBKEY
# LOG_ERR
# RECOVERY # RECOVERY
# TARGET # TARGET
# VAR_RUN_RECOVERY # VAR_RUN_RECOVERY
@@ -27,8 +30,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# user_root_authentication_access_ssh # user_root_authentication_access_ssh
# user_root_authentication_access_tty # user_root_authentication_access_tty
# user_root_authentication_password # user_root_authentication_password
# user_root_password
# user_root_sshpubkey
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -152,7 +153,9 @@ EOF
esac esac
### 4) Check the password policy for the 'root' account. ### 4) Check the password policy for the 'root' account.
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e" chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
do_log "info" "file_only" "4520() User: 'root' password: inserted."
unset CISS_SECRET_USER_ROOT_PASSWORD
case "${user_root_authentication_password,,}" in case "${user_root_authentication_password,,}" in
@@ -174,9 +177,10 @@ EOF
esac esac
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'. ### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
if [[ -n "${user_root_sshpubkey:-}" ]]; then if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then
printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys" printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
unset CISS_SECRET_USER_ROOT_SSHPUBKEY
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted." do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
fi fi
@@ -231,8 +235,8 @@ EOF
tmp_uid="user_user${i}_uid" tmp_uid="user_user${i}_uid"
tmp_gid="user_user${i}_gid" tmp_gid="user_user${i}_gid"
tmp_shell="user_user${i}_shell" tmp_shell="user_user${i}_shell"
tmp_password="user_user${i}_password" tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
tmp_sshpubkey="user_user${i}_sshpubkey" tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
tmp_access_tty="user_user${i}_authentication_access_tty" tmp_access_tty="user_user${i}_authentication_access_tty"
tmp_auth_pwd="user_user${i}_authentication_password" tmp_auth_pwd="user_user${i}_authentication_password"
tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh" tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
@@ -450,6 +454,7 @@ EOF
find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} + find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +
### 9) Final status logging. ### 9) Final status logging.
unset var_password var_sshpubkey
do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]" do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
done done
@@ -460,8 +465,6 @@ EOF
fi fi
unset VAR_TEMP_PLAIN_MFA_SEED
if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then
printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf" printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
@@ -471,6 +474,8 @@ EOF
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf" printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config" printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
unset VAR_TEMP_PLAIN_MFA_SEED
guard_dir; return 0 guard_dir; return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.
@@ -511,12 +516,12 @@ readonly -f eza_installer
####################################### #######################################
# Generates a deterministic TOTP secret based on: # Generates a deterministic TOTP secret based on:
# Username, FQDN, MFA salt, MFA master seed # Username, FQDN, MFA salt, MFA master seed
# Globals: # Globals:
# CISS_SECRET_SEEDS_MFA_INFO
# CISS_SECRET_SEEDS_MFA_SALT
# VAR_FINAL_FQDN # VAR_FINAL_FQDN
# VAR_TEMP_PLAIN_MFA_SEED # VAR_TEMP_PLAIN_MFA_SEED
# user_mfa_info
# user_mfa_salt
# Arguments: # Arguments:
# 1: Username # 1: Username
# Returns: # Returns:
@@ -526,10 +531,11 @@ generate_totp_secret() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_user="${1}" declare var_user="${1}"
declare var_host_id="${VAR_FINAL_FQDN}" declare var_host_id="${VAR_FINAL_FQDN}"
declare var_salt="${user_mfa_salt}:${var_host_id}:${var_user}" declare var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
declare var_info="${user_mfa_info}" declare var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
declare var_secret="" declare var_secret=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding). ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
@@ -550,6 +556,7 @@ generate_totp_secret() {
printf '%s\n' "${var_secret}" printf '%s\n' "${var_secret}"
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
return 0 return 0
} }
@@ -717,33 +724,31 @@ EOF
readonly -f hardening_sudo readonly -f hardening_sudo
####################################### #######################################
# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED. # Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
# Globals: # Globals:
# DIR_CNF # CISS_SECRET_SEEDS_MFA_SECRET
# VAR_TEMP_PLAIN_MFA_SEED # VAR_TEMP_PLAIN_MFA_SEED
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_READ_SEED_FILE # ERR_READ_SEED_FILE: on failure
####################################### #######################################
read_totp_seed(){ read_totp_seed(){
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
declare -g VAR_TEMP_PLAIN_MFA_SEED="" declare -g VAR_TEMP_PLAIN_MFA_SEED=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
unset CISS_SECRET_SEEDS_MFA_SECRET
return "${ERR_READ_SEED_FILE}"
fi
### Validate: exactly 64 hex. ### Validate: exactly 64 hex.
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}" [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
return 0 return 0
} }
@@ -889,14 +894,17 @@ readonly -f write_ciss_2fa_user
write_google_authenticator_file() { write_google_authenticator_file() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}" declare -r var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
declare var_secret="" declare -i i=0
declare var_secret="" __umask=""
__umask=$(umask)
case "${1}" in case "${1}" in
root) declare var_base="${var_target}/root" ;; root) declare var_base="${var_target}/root" ;;
*) declare var_base="${var_target}/home/${var_user}" ;; *) declare var_base="${var_target}/home/${var_user}" ;;
esac esac
declare -i i=0
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
var_secret="$(generate_totp_secret "${var_user}")" var_secret="$(generate_totp_secret "${var_user}")"
@@ -941,9 +949,10 @@ write_google_authenticator_file() {
} >| "${DIR_TMP}/TOTP_${var_user}.secret" } >| "${DIR_TMP}/TOTP_${var_user}.secret"
chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret" chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"
umask 0022
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
umask "${__umask}"
return 0 return 0
} }

21
lib/cdi_0050_debug/0051_debug_var_dump.sh
View File

@@ -13,11 +13,13 @@
guard_sourcing || return "${ERR_GUARD_SOURCE}" guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Capture an initial snapshot of all variables (excluding '^(BASH|_).*'). # Capture an initial snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
# Globals: # Globals:
# VAR_DUMP_VARS_INITIAL # VAR_DUMP_VARS_INITIAL
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
####################################### #######################################
dump_vars_initial() { dump_vars_initial() {
# shellcheck disable=SC2312 # shellcheck disable=SC2312
@@ -25,12 +27,16 @@ dump_vars_initial() {
declare var declare var
while IFS= read -r var; do while IFS= read -r var; do
declare -p "${var}" 2> /dev/null declare -p "${var}" 2> /dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*') done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
} | sort >| "${VAR_DUMP_VARS_INITIAL}" } | sort >| "${VAR_DUMP_VARS_INITIAL}"
return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dump_vars_initial
####################################### #######################################
# Capture the final snapshot of all variables (excluding '^(BASH|_).*'). # Capture the final snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
# Globals: # Globals:
# LOG_VAR # LOG_VAR
# VAR_DUMP_VARS_FINAL # VAR_DUMP_VARS_FINAL
@@ -38,6 +44,8 @@ dump_vars_initial() {
# VAR_VERSION # VAR_VERSION
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
####################################### #######################################
dump_vars_exiting() { dump_vars_exiting() {
set +x set +x
@@ -46,7 +54,7 @@ dump_vars_exiting() {
declare var declare var
while IFS= read -r var; do while IFS= read -r var; do
declare -p "${var}" 2>/dev/null declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*') done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
} | sort >| "${VAR_DUMP_VARS_FINAL}" } | sort >| "${VAR_DUMP_VARS_FINAL}"
set -x set -x
@@ -71,5 +79,10 @@ dump_vars_exiting() {
set -x set -x
rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}" rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}"
return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dump_vars_exiting
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
meta_loader_func.sh
View File

@@ -28,7 +28,8 @@ source_guard "./func/cdi_1200_validation/1222_validation_preseed.sh"
source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh" source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh"
source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh" source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh"
source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh" source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh"
source_guard "./func/cdi_1250_yaml/1256_secret_parser.sh" source_guard "./func/cdi_1250_yaml/1256_yaml_xfiles.sh"
source_guard "./func/cdi_1250_yaml/1257_yaml_xnuke.sh"
### cdi_3200_partitioning ### cdi_3200_partitioning
source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh" source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh"

1
meta_loader_lib.sh
View File

@@ -42,7 +42,6 @@ source_guard "./lib/cdi_0100_arg/0101_arg_sanitizer.sh"
source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh" source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh"
source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh" source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh" source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"
source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh" source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh" source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"

1
var/errors.var.sh
View File

@@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'.
declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file. declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file.
declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts. declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts.
declare -girx ERR_LUKS_HEADER_ENC=210 # Error encrypting LUKS Header backup. declare -girx ERR_LUKS_HEADER_ENC=210 # Error encrypting LUKS Header backup.
declare -girx ERR_DECRYPTION_SOPS=132 # An error occurred while decrypting SECRETS.yaml.
declare -girx ERR_MISSING_AGE_BIN=130 # SOPS binary for decryption SECRETS.yaml missing. declare -girx ERR_MISSING_AGE_BIN=130 # SOPS binary for decryption SECRETS.yaml missing.
declare -girx ERR_MISSING_AGE_KEY=129 # AGE key for decryption SECRETS.yaml values missing. declare -girx ERR_MISSING_AGE_KEY=129 # AGE key for decryption SECRETS.yaml values missing.
declare -girx ERR_GUARD_SOURCE=128 # Module tried to load twice. declare -girx ERR_GUARD_SOURCE=128 # Module tried to load twice.

8
var/global.var.sh
View File

@@ -52,13 +52,11 @@ declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml"
### Initialize SECRETS.yaml variables. ### Initialize SECRETS.yaml variables.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -gA CISS_SECRETS_MAP=() # YAML path (w/o '.value' and without 'secrets.') -> varname. declare -gA CISS_SECRETS_MAP=() # YAML path (w/o '.value' and without 'secrets.') -> varname.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -g CISS_SECRETS_AGE="" # AGE PRIVATE Keyfile to decrypt SOPS encrypted values. declare -g CISS_SECRETS_AGE="/root/.config/sops/age/keys.txt" # AGE PRIVATE Keyfile to decrypt SOPS encrypted values.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -gr CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml" # Effective YAML source used (plain or decrypted stream) declare -gr CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml" # Effective YAML source used (plain or decrypted stream).
# shellcheck disable=SC2034
declare -g CISS_SECRETS_XFILES="" # Derived from SOPS presence heuristic.
### Base mount paths and variables for debootstrap. ### Base mount paths and variables for debootstrap.
declare -grx TARGET="/target" declare -grx TARGET="/target"